How law firms can avoid social hacking

by Sol Dolor05 Oct 2016
An IT security expert is urging law firms to exercise more caution and use an old technology as fraudsters are becoming more sophisticated in their methods.
Michael Pook, a senior IT security engineer at Compel Computer Services, said that the telephone, a device which has existed for more than a century, could be one easy way that law firms could beat fraudsters.
In a recent feature by the New Zealand Law Society, the expert stressed the importance of vigilance as criminals become more cunning in their use of social hacking, or the use of a combination of social behaviours and information to bring about an outcome like successfully conning money.
“What we are seeing now is a shift away from direct hacking to deception and misdirection,” Pook told the Law Society.
Pook shared a story about a recent case he handled where the financial controller of a not-for-profit organisation received an email from their chair asking for an overseas funds transfer.
Pook shared that the fraudsters used the correct language, including the grammar of the chair, and had critical information like the person’s title and that the request should be made to the financial controller.
The attack, which went as far as the financial controller getting instructions to wire transfer 25,000 euros and the employee and account where it will be sent, was foiled the financial controller decided to give the chair a call. The financial controller was informed that the chair had not authorised any such transaction.
“You can have all the security in the world around your email system, but the problem you have is that you and people in your organisation are sending emails to people in the rest of the world who may not be on a secure mail system,” Pook said.
He also said vigilance and scepticism should always be present, making a case essentially for multi-factor authentication or the practice of confirming an action to be done only when two or more vital pieces of evidence are present.
For example, a transaction will only be initiated when an email and a phone call confirmation is received from an organisation’s official.
“Pick up a telephone and make a call to verify information. Relying on one form of identification is just not enough these days,” Pook said.
Pook also cautioned lawyers about employing cheap labour without safeguarding one’s self. For example, if a lawyer user outsourcing platforms for some work, confidentiality and conflict of interest agreements with the service provider should always be present, he said.